Removing Adware in ~/Library/Application Support

Question

I recently installed some software that was clearly malicious but it didn't function and I started getting popups in my browser, changed my default search engine, and installed some malicious chrome extensions :(

I did scans with both Sophos and Malwarebytes which both discovered some sources in ~/Library/Application Support/com.* which I removed and it seems for now that everything is fixed.

I'm curious about what kind of files are supposed to be ~/Library/Application Support so I can know if any are malicious ones that weren't picked up by the antivirus systems.

There are plenty with apple in their names so it's hard for me to tell if they are legit or not

com.apple.ContextStoreAgent
com.apple.MediaPlayer
com.apple.NewDeviceOutreach
com.apple.ProtectedCloudStorage
com.apple.TCC
com.apple.akd
com.apple.ap.promotedcontentd
com.apple.avfoundation
com.apple.backgroundtaskmanagementagent
com.apple.exchangesync
com.apple.mobileAssetDesktop
com.apple.replayd
com.apple.sbd
com.apple.sharedfilelist
com.apple.spotlight

Some general wisdom about how adware works on a lower level and how to go about debugging the sources of various popup-like problems without just resorting to antivirus would also be appreciated to help improve my technical/security literacy.

Thanks

Answer 1

Anything could be in ~/Library/Application Support. There is no enforcement of what is in there,

Apple's File System documentation says that ~/Library/Application Support should contain configuration files and data files:

Use this directory to store all app data files except those associated with the user’s documents. For example, you might use this directory to store app-created data files, configuration files, templates, or other fixed or modifiable resources that are managed by the app. An app might use this directory to store a modifiable copy of resources contained initially in the app’s bundle. A game might use this directory to store new levels purchased by the user and downloaded from a server.

All content in this directory should be placed in a custom subdirectory whose name is that of your app’s bundle identifier or your company.

As for malware that is too broad, for one could question on Stack Exchange.

Answer 2

Anti-viruses doesn't just look at the folder names and assume "Oh that's a system folder, let's leave that alone", "Oh that's not com.apple.* so let's delete it!"

They usually scan files for malicious code, so you shouldn't need to remove anything.

And, they also scan folders like Application Support and even if it's a com.apple.*, it'll still check files in that. So you shouldn't have to worry.

You have stated, though, this:

Some general wisdom about how adware works on a lower level and how to go about debugging the sources of various popup-like problems without just resorting to antivirus

Which, to me, sounds like you don't want to use an anti-virus so I'd recommend looking for folders that have names that you haven't seen on your mac before. Let's say you have an app called "UIDownloader" (example name), it'd probably have a Preferences/Config file in Application Support under a folder called "com.example.uidownloader".

But if you have a folder called "com.example.suspiciousfolder" but you haven't seen that name in an application or such then you could check through it or just delete it altogether.